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RELIABLE NON-REPUDIABLE SYSLOG SIGNING AND 
ACKNOWLEDGEMENT 

Field of the Invention 
5 [0001] This invention relates to computer based communication systems and more 
particularly to security protocols for remotely managed devices. 

Background of the Invention 

[0002] There are many instances in which recording or logging an event can serve a 
10 useful purpose. This may be, for example, so that information in the logged event 
can be eyaluated or referred to at a later date. Also, it may desirable to establish a 
real time of an event or the record may be used as evidence that an event actually 
occurred. 

15 [0003] In the field of computer based commxmications systems it is also useful to 
maintain a record of certain events. Frequently in this environment a device or a 
group of devices are controlled by a management entity that is remote from the 
device or devices. The management entity may serve as a collector of event logs 
relating to the devices for v/hich it has control. This remote management 

20 functionality can be a conduit to security threats against the access points as well as 
to the transmission media and to the management protocol itself. To answer this, a 
number of security measures can be put in place and the management protocols 
themselves can be made as secure as possible. 

25 [0004] One of the security measures that has been implemented is the Syslog 
protocol. The Syslog process has been devised to categorize and log diverse 
messages and to permit rapid differentiation of notifications or messages relating 
to problems from notifications which relate to simple status indicatioris. 
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[0005] The Syslog protocol was developed to provide a transport media to allow a 
machine to send event notification messages across IP networks to event message 
collectors which are also known as Syslog servers. The process, application and 
operating systems used in the Syslog protocol lack xmif ormity as to the content of 
5 messages. For this reason there is no attempt to format or to assure the contents of 
the messages. The protocol is simply designed to transport event messages to the 
collector where they are stored. In all cases there is one device that originates the 
message. The Syslog process on that machine may send the message to a collector 
but no acknowledgement of the receipt is made. Typically, the integrity of Syslog 
10 messages can be a critical security issue. 

[0006] In an attempt to rectify this problem there have been a number of proposals 
to make Syslog more secure. In this regard integrity and confidentiality are both 
considered important however integrity is the key issue. 

15 

[0007] Syslog Sign introduces a mechanism of adding origin authentication, 
message integrity, replay resistance, message sequencing and detection of missing 
messages. Syslog Sign attempts to provide these security features in a way that has 
minimal requirements and minimal impact on existing Syslog implementations. 
20 Thus Syslog Sign has many key benefits and in particular the backward 

compatibility with existing Syslog collectors and the notion of periodic digital 
signatures which protect against log modification. 



[0008] In addition to Syslog protocol and Syslog Sign, Reliable Syslog and BEEP are 
25 being developed. As noted above Syslog itself provides a simple protocol for event 
of logging but there are no security mechanism nor are there any means to provide 
guarantee delivery or reliability. Syslog Sign adds a level of security by providing 
for signed messages from the device to the server (collector). Unfortimately, there 
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is no way for the device to verify correct receipt and there are no mechanisms to 
guarantee delivery. 

[0009] Reliable Syslog adds a new extension to the protocol by providing a layer of 
5 reliability. Reliable Syslog suffers from two drawbacks, however, namely that it is 
essentially a new protocol and is not compatible with current Syslog protocols and 
there is no way for the device to prove that the collector received the logs correctly. 
BEEP only secures the transport and thus on its own is not a solution for long term 
verification and storage of logs. 

10 

[0010] Accordingly, there remains a need to develop an improved protocol for 
event logging and verification. 

Summary of the Invention 

15 [0011] The present invention is directed to methods and apparatus for logging 
events pertaining to remotely managed devices. According to the invention a 
collector/ management entity that remotely manages, and/ or collects event logs 
received from a device provides to the device authenticated acknowledgement of 
event logs that have been successfully received. 

20 * 

[0012] Therefore in accordance with a first aspect of the present invention there is 
provided a method of logging events relating to a remotely managed device in a 
computer-based communications system, the method comprising: signing, at a 
collector entity that collects event logs received from the device, an 

25 Acknowledgement Block (AB); and making the AB available to the device. 

[0013] In an embodiment of the invention the collector entity also serves as a 
management entity to remotely manage the device. 
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[0014] In accordance with a second aspect of the invention there is provided an 
apparatus for logging events relating to a remotely managed device in a computer- 
based communications system, comprising: means, at a collector entity that collects 
log events received by the device, to generate an Acknowledgement Block (AB) 
5 and to make the AB available to the device. 



Brief Description of the Drawings 

[0015] The invention will now be described in greater with reference to the 
drawings wherein: 

[0016] Figure 1 illustrates some possible architectures relevant to the present 
invention; and 

[0017] Figure 2 shows a messaging sequence with the Acknowledgement Block. 
Details Description of the Invention 

[0018] Figure 1 illustrates some of the possible architectures for which the present 
invention pertains. The figure shows optional configurations wherein a device 12 
sends messages directly to a collector 14 or where the device sends messages to the 
collector through one or more relays 16 either in series or in parallel. 

[0019] According to the invention a new message is added to the aforementioned 
Syslog Sign protocol. As indicated previously the Syslog Sign protocol has some 
significant advantages including its ability to maintain backward compatibility 
25 with current Syslog protocols. Any standard Syslog collector can accommodate the 
new protocol, only the Syslog device needs to be modified. Further, the security is 
not reliant on the transport and is stored with the traditional Syslog message and 
thus can be checked offline at a later time. There is non-repudiation of the device 
messages i.e. the collector can prove that the device sent all correctly received 



5 



messages. The Syslog Sign protocol, however, includes the aforementioned short 
comings which are addressed by the present invention. Hence, the invention seeks 
to preserve most of the aforementioned benefits while adding the following 
properties: reliable transmission; non-repudiation of the collector i.e. the device can 
5 now prove that the collector received all messages and prevention of an attack 
where someone tries to hide some mischievous activity by blocking/diverting all 
incriminating logs. 

[0020] According to the invention a new message must be sent from the collector to 
10 the device for the protocol to complete. This is a new message which is not part of 
the Syslog or the Syslog Sign standards. However it could be part of an SNMP 
MIB or maybe a retum Syslog message where the role of device and collector are 
reversed. 



15 [0021] Thus, according to the new message added to the Syslog Sign protocol the 
collector, periodically, signs an acknowledgement block (AB) and makes it 
available to the device. The term periodically is presumed to be configurable based 
on the number of log messages or the time interval between messages. The 
acknowledgement block contains the following fields: 

20 last correctly received Syslog Sign block 

last correctly received Syslog message since above-mentioned Sign block; 

and 

a bit map of all correctly received packets since the above message. 

25 [0022] Figure 2 illustrates one embodiment of Acknowledgement Block and the 
fields which are contained in it. It also shows a number of sequential events or 
messages followed by a Syslog Sign message and the AB. 
[0023] It is also within the scope of the present invention for the 
collector /management entity to sign the AB and to include the signature in the AB. 
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[0024] Optionally, a Syslog Sign block nvimber that has not been correctly received, 
i.e. where the signature does not match can be generated. It is contemplated that 
the Syslog sign block number message will be limited to a maximum of one 
5 instance per bad signature block to prevent certain kinds of cr)^tographic attacks 
or denial of service attacks. 

[0025] The device can continue to log messages as usual but can optionally store all 
imconfirmed messages and re-send messages which have not been confirmed or 
10 have been confirmed to be part of a bad signature block. 

[0026] The invention may also add an initial message from the device to the 
collector indicating that the device can accept the new message types. 



15 [0027] Although particular embodiments of the invention can be described and 
illustrated it will be apparent to one skilled in the art that numerous changes can 
be made without departing from the basic concept of the invention. It is to be 
understood, however, that such changes will fall within the full scope of the 
invention as defined by the appended claims. 



